pam_roles(5) Standards, Environments, and Macros pam_roles(5)
pam_roles - Solaris Roles account management module
The pam_roles module implements pam_sm_acct_mgmt(3PAM). It provides
functionality to verify that a user is authorized to assume a role. It
also prevents direct logins to a role. The user_attr(4) database is
used to determine which users can assume which roles.
The PAM items PAM_USER and PAM_RUSER are used to determine the out-
come of this module. PAM_USER represents the new identity being veri-
fied. PAM_RUSER, if set, represents the user asserting a new identity.
If PAM_RUSER is not set, the real user ID of the calling service
implies that the user is asserting a new identity. Notice that root can
never have roles.
This module is generally stacked above the pam_unix_account(5) module.
The following options are interpreted:
debug Provides syslog(3C) debugging information at the
The following values are returned:
PAM_IGNORE If the type of the new user identity (PAM_USER)
is "normal". Or, if the type of the new user
identity is "role" and the user asserting the
new identity (PAM_RUSER) has the new identity
name in its list or roles.
PAM_USER_UNKNOWN No account is present for user.
PAM_PERM_DENIED If the type of the new user identity (PAM_USER)
is "role" and the user asserting the new iden-
tity (PAM_RUSER) does not have the new identity
name in its list of roles.
Example 1: Using the pam_roles.so.1 module
Here are sample entries from pam.conf(4) demonstrating the use of the
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
The cron service does not invoke pam_roles.so.1. Delayed jobs are inde-
pendent of role assumption. All other services verify that roles cannot
directly login. The "su" service (covered by the "other" service entry)
verifies that if the new user is a role, the calling user is authorized
for that role.
See attributes(5) for descriptions of the following attributes:
tab() allbox; cw(2.750000i)| cw(2.750000i) lw(2.750000i)|
lw(2.750000i). ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
ing MT LevelMT-Safe with exceptions
roles(1), su(1M), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM),
pam_setcred(3PAM), pam_set_item(3PAM), pam_sm_acct_mgmt(3PAM), sys-
log(3C), pam.conf(4), user_attr(4), attributes(5), pam_auth-
tok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
This module should never be stacked alone. It never returns PAM_SUC-
CESS, as it never makes a positive decision.
SunOS 5.10 9 Mar 2004 pam_roles(5)